PEGA-Untersuchungsausschuss: Auch private Akteure wie Firmen nutzen Trojaner

Am 23. Januar beschäftigte sich der Staatstrojaner-Untersuchungsausschuss in Brüssel mit dem Einsatz kommerzieller Überwachungstechnologien durch private Akteure.

Maciej Broniarz, IT-Analyst an der Universität Warschau, erinnerte die Abgeordneten daran, dass sie beim Fokus auf staatliche Akteure nicht vergessen sollten, dass „dieselben Technologien [wie Pegasus] von kommerziellen Einrichtungen beispielsweise gegen ihre Mitarbeiter eingesetzt werden können“. Es bestehe kein Zweifel daran, dass der Einsatz von Überwachungswerkzeugen in Zukunft stark zunehmen werde – bei staatlichen und privaten Akteuren.

Die liberale Berichterstatterin Sophie in ’t Veld hakte nach und fragte, ob private Unternehmen oder Personen überhaupt die finanziellen Mittel hätten, um Tools wie Pegasus zu bezahlen. Broniarz erwiderte, dass private Unternehmen „sehr oft“ genug Geld zur Verfügung haben. Letztlich sei es daher eine politische Entscheidung der Anbieter von Überwachungstechnologie, an wen sie ihre Tools verkaufen.

Eric Lefevre, technischer Berater des französischen Innenministeriums, nutzte seine Redezeit vornehmlich dafür, zu betonen, dass Frankreich einen strikten rechtlichen Rahmen für den Einsatz von Überwachungstechnologien habe. Französische Autoritäten hätten bei Sicherheitsmaßnahmen in Bezug auf Abhör- und Überwachungspraktiken „noch nie“ versagt.

Die liberale Berichterstatterin des Ausschusses Sophie in ’t Veld widersprach. Es könne nicht die Rede sein von adäquaten rechtlichen Sicherheitsmaßnahmen in Frankreich. Schlussendlich könnten „die französischen Behörden in jeder Situation Spionageprogramme einsetzen, ohne dass es für die Betroffenen Abhilfe gibt“.

Von der Anhörung gibt es ein Video, aber kein offizielles Transkript. Daher veröffentlichen wir ein inoffizielles Transkript.

• Date: 2023-01-23
• Institution: European Parliament
• Committee: PEGA
• Chair: Jeroen Lenaers
• Experts: Maciej Broniarz (Center for Forensic Science, University of Warsaw), Eric Lefevre (Technical Advisor, Central Directorate of the Judicial Police in French Ministry of the Interior)
• Links: Highlights, Video
• Note: This transcript is automated and unofficial, it will contain errors. The transcript was shortened in some places for better comprehensibility.
• Editor: Tim Wurster

Use of Spyware by private actors

Jeroen Lenaers (Chair): Okay. Good afternoon. Dear colleagues, it’s good to see you all again. We last saw each other last Thursday morning, so it doesn’t feel that long ago. We have interpretation today in German, English, French, Italian, Greek, Spanish, Hungarian, Polish, Slovakian, Slovenian, Bulgarian and Romanian.

We have an agenda for today. I regret to inform you that Undersecretary Estévez informed us that due to unforeseen scheduling issues that arose, he could not join us. Today we are exploring the possibilities to reschedule. But for now, it means that point three on the agenda of the day is cancelled. So, without information, if there are no other comments, I consider the agenda adopted and we move immediately to point two of our agenda, which is the hearing on the use of spyware by private actors.

So first we start with this hearing and to participate we have the following speakers, Mr. Maciej Broniarz, who was an I.T. systems administrator, and Mr. Erik Lefevre, who was a technical advisor at the Central Directorate of Judicial Police in the French Ministry of the Interior, and he is with us in presence today. But we will start with our colleague who is connected remotely. Mr. Maciej Broniarz. He is an IT systems administrator professionally associated with the University of Warsaw, a lecturer at the Faculty of Mathematics, Computer Sciences and Mechanics of this university. And he’s also a collaborator of the Polish Forensics Society in the field of security. So, he is very much an expert in security, computer forensics and computer security incident response. I will give you the floor for about 10 minutes and then we continue with Mr. Lefevre, after which we open the floor for questions and answers. And if any members would like to take the floor during the question and answer now, of course, always already welcome to indicate that. So, thank you very much. Can I pass the floor to Mr. Broniarz?

Maciej Broniarz (Center for Forensic Science, University of Warsaw): Good afternoon. Thank you, Mr. Chair. Ladies and gentlemen, thank you for inviting me to share my thoughts regarding the use of spyware by private actors. My name is Maciej Broniarz, and I’m a computer forensics analyst working for the central forensic scientists at the University of Warsaw. I have also worked as an incident response consultant for over a decade, and I have worked on multiple cases regarding spyware, ransomware, and data breach incidents both in the EU and the US.

Much has been already said regarding Pegasus abuses by certain governments. So today I will focus on other examples of spyware and the potential threat to privacy. And then I’ll try to briefly talk how Pegasus scandals lead to undermining the trust in public authorities, especially law enforcement agencies.

Jeroen Lenaers (Chair): Mr. Broniarz Thank you. If I make one request is to speak slowly. It’s just, but for the interpreters, it’s very difficult to interpret into other languages if you speak too fast.

Maciej Broniarz (Center for Forensic Science, University of Warsaw) : Okay, I’ll try. Thank you. And of course, yeah.

Finally, I’ll indicate how the methods of remote work that became very popular during the pandemic of Covid-19 may potentially lead to creating a grey area regarding citizens privacy and their rights not being fully protected.

Whereas the attention of policymakers, civil society and public opinion have been focused on Pegasus, the market of highly intrusive spyware is snowballing. Software like Candiru from Israel, predator from North Macedonia, Stone from Spain or Hermit created and developed in Italy, offers similar functionality as Pegasus. Back in 2015, we have learned about a malware family called Animal Farm attributed to the French intelligence. We still don’t know how many governments, either in the EU or other countries in the world, are still working on similar technologies as we speak now. We don’t know where and how those technologies are used, either.

We have a recent example, for example, in Rwanda where the spyware is used actually to target the opposition and the political opponents of the Rwandan government. And that’s why the EU should implement a legal framework to ensure that such technologies, although very often necessary for security reasons, should not be developed and more important, not be used without the proper supervision.

Speaking of security reasons, my professional experience also shows that after the Pegasus scandal, every other enforcement attempt to purchase a cybersecurity related tool raises a red flag among stakeholders and public opinion. For example, in Poland, the police pursue to purchase a computer a forensic tool for data acquisition and analyses of mobile devices. The technology is crucial for the forensic acquisition of evidence in case regarding example child abuse, although in the mechanism even the technology is different that because, for example, you require physical access to the device, so it can be taken from somebody and taken into custody, I still, the public opinion, remain concerned.

What if that technology is available and can be abused by the state authorities in the same way as Pegasus was? Unfortunately, without a specific and effective court and civic oversight of the police and law enforcement agency, those situations will lead to undermining the general trust in public authorities.

Thirdly, while focusing on governments using spyware, we must remember that the same technologies can be used by commercial entities against, for example, their employees. The rise of commercial spyware used by private actors is one of the untold stories of the pandemic. One could only presume that spyware is used to extract company data from a rival company, but is very frequently a different case. There is a reason that spyware, or bossware, may be used to control the workers of a particular company. And that process, although more and more popular, is often not known by the monitored employees.

Even without the special software, a company that uses, for example, a badly configured VPN solution for remote workers can gather more data than required by the company-needs. What is more worrying: that data can be analysed and used in certain situations against the employee. Some systems claim to be an AI-driven risk score analysis provider, but from a different perspective, they are tools that monitor the employee activity online. And that data, as said earlier, can be gathered and used against the employee.

Also, some popular cloud-based office services combined with, for example, MDM plus systems deployed on laptops or mobile devices, can be used to breach employee’s privacy and monitor activities outside the work related scope and collect process and analyse the data that is very sensible and should not be gathered by anyone except the owner of the data.

Few of such cases were already discussed in public by, for example, Guardian in the spring of 2022. The employee’s, how do they even realize that all the information regarding the network activities can be monitored, stored, analysed and archived by the company? It is mainly due to the lack of general supervision and discussion on that issue and very often the company’s proper internal policies, even those regarding GDPR, due to basically an omission of or lack of knowledge.

The misuse of remote monitoring tools, called bossware, may lead to comparable breaches in privacy, that are very similar to those of, for example, Pegasus. We must not forget that the role of the EU and national government is to protect the citizens from such incidents too.

Ladies and gentlemen, it is certain that in the future there will be a significant growth of spyware systems used by both governments and the private actors. That growth, however, must be matched with policy changes preventing the abuse in terms of spyware. I remain at your disposal if you want any further information. Thank you for your attention.

Jeroen Lenaers (Chair): Thank you very much, Mr. Broniarz. I’m sure there will be questions from my colleagues, but we’ll first listen to our other guest who was with us in the room today, Mr. Eric Lefevre, who is the technical adviser at the Central Directorate of Judicial Police in the French Ministry of the Interior. You also have about 10 minutes to make an introduction, and then we’ll open the floor to questions and answers.

Eric Lefevre (Technical Advisor, Central Directorate of the Judicial Police in French Ministry of the Interior) : Mr. Chairman, honourable Members of Parliament, thank you for having invited me as a participant to your hearing at the PEGA. I am the head of Telecommunications in the Ministry of Interior, and I’m the technical advisor and Director of the fight against cybercrime within the Central Judiciary Police in France, which is competent for everything that goes on throughout the French territory.

So as regards the capture of remote data in France, it is a means of special inquiry, such as the use of IMC capture or the sounding or the capture of images of certain vehicles and other assorted images. This capture can be set up either under a judicial framework, which will be the object of my presentation, or an administrative one. So, I will not talk about administrative framework because it’s been recently presented by Mr. Serge Lasvignes last week at your committee, and he is the chair of the National Committee for Controlling the Information Techniques in France.

Criminally speaking in France, this technique can only be implemented for the following crimes and misdemeanours, as stated in Articles 66, 73 and 73 part one of the French Criminal Code. And what are they about? They cover murders committed as part of organized crime, torture and barbaric acts committed by organised gangs and crimes of narco traffic and other organised crimes, human trafficking, aggravated separatism and organised gangs, robberies, extortions, destruction, degradation and deterioration of goods committed perpetrated by gangs. And acts of terrorism. And finally, any. Crime that can threaten the nation. There are also other misdemeanours such as the aid to enter , entry and circulation of illegal persons committed by organised crime and anything else deriving from other infractions. Organised crime to prepare murder, money laundering or aeroplane hijacking. Lack of justification of resources that finance abnormal living standards. Hijacking of any kind of transport committed by organised gang. And the sanctions are ten years of prison sentencing.

And then there’s the misdemeanours regarding but pertaining to arms and mines and environmental crimes committed by organised gangs as well as fraud and extortion, especially those having to do with the abuse of personal data. And I’m thinking particularly of the French hospitals that have been recently victims in their I.T. systems, the use of a person’s exercising a hidden work. The use of undeclared labour, import and export, transit, sales or acquisition of cultural goods. So obviously this is the cultural goods trafficking, and misdemeanors having to do with natural resources committed by gangs and also pharmaceuticals and plant protection products as well as organised crime carrying out illegal gambling exercises. I’m sorry about this really long list, but the judiciary can only order data capturing and listening and interceptions throughout this list.

So as regards the investigations. In 2011, we have certain articles in the Penal Code that envisage the possibility for the prosecutor or the investigating judge. Investigating a crime that falls within the scope of this list that I’ve just read through to implement a technical means to register and record data and keep it in a system. As long as it’s part of an automated data capturing system or as received and emitted by peripherals. Article 706102 was written eight years after the first law, and it states which articles are applicable during investigations and are no longer the times audiovisual peripherals so that you can capture really all sorts of things on hard drives like external means, USB keys and what have you. So with this new article 706102 allows for the creation of a technical means to access I.T. data, register it, keep it, and transmit it as it is kept in the computer system, such as on computer systems. And as they are transmitted by peripherals, the prosecutor and or investigating judge can designate any physical or legal entity as per the ECI expert list, allowing them to use the data. Under this article, the prosecutor or the investigating judge can also request the state to investigate things subject to a national security protocol during initial investigations.

When the public prosecutor is involved, the period is one month and it can only be renewed once for the same length of time. And this goes out with an order signed by a judge. And then when you have a judicial inquiry. When it’s an investigating judge, then the time line is four months renewable again with a signed order by the judge, with the okay of the public prosecutor in France. Which services can use these? There’s a unit that can be set up to install the means to record this data. Obviously, the central judiciary police and its central offices as per Article D 15 one six of the Criminal Code. And in addition to the judicial police, there’s also the DG SEC, which the internal intelligence service, the National police, the National Gendarmerie, the Central criminal services of the gendsrmerie and its intervention groups. A decree of 18th December 2015 concerns the treatment of these data. According to the Criminal Code, it authorises the Ministry of Interior to set up a data treatment system, an individual scope to collect. Record and treat the data according to the code.

Article three of this decree states that the means to do this are to be developed by private companies subject to Article R 1263 of the Criminal Code. There is an inter-ministerial committee that validates and homologates these tools, and this only after an inter-ministerial investigation that depends on the Prime Minister. So the treatment of individual data can only come from these authorised means. And it can be only approved by either the investigating judge or the public prosecutor. When there is a risk of proves degrading quickly. In France, we have a national service which is called the National Service for the recording of Judicial, the judicial recordings. And this service is responsible for any tool to record computerised data according to our legal code. And therefore it is the one actually going ahead with using such tools.

Article seven of the decree also states that the the design and implementation of these tools are in the hands of recognised and approved bodies for a maximum of five years, and they are approved by the Ministry of Interior and are subject to controls. It’s not an exclusive competency of this national service, but this national service has a centralising role because the aim of centralising this recording means is a way to coordinate all services that potentially can use them. So that any machine or smartphone is not doubly listened to or acquired by a private company if their tools are already being put under the watch by someone, by another organism. And we’re also trying to avoid physical risk in case one has to directly get one’s hands on the actual computer or phone or what have you. So in France, we have a particularly strict set of rules because only a judge, which in France are completely independent, can order this use. And French authorities, since this is your committee’s competence, have never acquired or rented out the Pegasus spyware. And they have never failed in the fail safe measures of any listening tools. Thank you.

Jeroen Lenaers (Chair): Thank you very much, Mr. Lefevre. There seems to be a technical problem with the website of the European Parliament, meaning that people that are wanting to follow the PEG committee end up at the hearing of the Fisheries Committee or the Internal Market Committee, and perhaps also vice versa. So any guests that were looking forward to follow the proceedings in the fisheries committees but ended up here, you are more thanwelcome to stick around. I hope you find the topic interesting, but we’re trying to at the level of the parliament, it’s a horizontal issue, so we’re trying to fix the problems so that people can actually follow the hearings that they would like to follow. And thank you a moment to our colleague, Sylvie Guillaume, for pointing it out to us. Thank you, Mr. Lefevre. We will now open the floor for questions, and I’ll first give the floor to our rapporteur, Sophie in ‚t Veld.

Sophie in ’t Veld (Renew): Thank you, Chair. Ultimately, it is all about a fishing expedition, but of a different kind. I would like to thank both our guest speakers here today. My first question is to Mr. Broniarz.

The kind of spyware that we are talking about in this committee is, at this moment in time, very, very expensive and out of reach for, you know, most normal people or small companies. We’re talking about stuff that costs millions. And I know that there are simpler versions of spyware out there which are cheaper. But if you want the capabilities of Pegasus and similar spyware, you still need to pay a lot of money. But do you think at the current speed of technological developments that a Pegasus like spyware or spyware with that kind of capability will be available to, you know, no millionaires in the foreseeable future?

Then to Mr. Lefevre, first of all, I would like to ask you if it’s possible to have your speaking notes because you made a lot of references to different kinds of crimes in legal articles and what have you. And that would be very useful for us to have it in writing, in particular as we are preparing amendments at this moment in time.

Two questions. One question is, you say that there is a very strict legal framework in place in France. I would tend to disagree because even, you know, disregarding knowledge I have of the system, you have given us a very long list of crimes and misdemeanours for which spyware can be used. You have given us a very long list of agencies authorised to use it. You also say that in certain cases that it can be declared a matter of national security. There is also kind of general clause saying that any crimes that affect the fundamental interests of the state, which could be anything basically for, you know, and then victims or targets are basically unable to get any information about, you know, whether or not they have been targeted. So, they are completely defenceless. Their right to legal remedy in reality does not exist. And I have explained last week how that works in practice. I have a bit of experience myself and it basically doesn’t work. So how exactly do you consider this to be a strict legal framework? Because the bottom line is the French authorities can use spyware in any situation and there is no remedy for for the targets.

The second question is, I mean, in this kind of situation, there is likely to be abuse. You know, public officials who abuse their right of access to information to get access about, I don’t know, people they know or for purposes of corruption or whatever this happens, you know, where there are human beings, they are also disregarding the rules. But in the in the framework that you have described, it would be very, very difficult to detect that kind of abuse. So can you tell us, do you have cases of abuse where public officials have gained access to information for purposes other than the purposes that are legally authorised? And then one last question, because you say and we discussed this last week as well, that the use of spyware in this case. Or any kind of surveillance is may be authorised for a period of, say, one months to be renewed. The problem with spyware is that it’s not. Temporary spyware can be used to to access information going back in time without limits. You get access to metadata, to documents, to image material, to maybe even voice recordings, anything, anything, anything going back in time. For as long as the person targeted has been using digital services. So the authorisation for a period of one months is basically meaningless. So those are my questions to you.

Jeroen Lenaers (Chair): Thank you very much. And we’ll take the answers in the same order of the questions. It will start with Mr. Broniarz.

Maciej Broniarz (Center for Forensic Science, University of Warsaw) : Thank you for the question. That is basically an issue of a few factors that need to be taken into account. First of all, we need to remember that in terms of spyware and basically any malicious software, the cybercriminal community already has access to those technologies. So, that’s not just the case of the government. Apart from that, the government very often needs to pay very, as we have said, huge amount of money to access the technologies. But very often, corporations have the same amount of money, and it’s rather the case of a political decision of such a vendor whether they will accept a contract from a certain corporation and not from a government.

And then again, we must take into account that the problem with Pegasus or any other spyware is very often the deployment of that software on the device of a person that we want to spy on and to. When we are speaking of private actors and corporations, very often they have access to the devices of people they want to monitor when we go to the other. So that infestation problem that is very often the huge cost factor is negligible. And there is one more thing because you have said in your question regarding the data collection that can be stored and analysed in the future and very often mobile devices that people are using are using encryption algorithms that are sufficient for the time being. But for example, when quantum computers will become available and at the nearest future, that data will no longer be treated as securely encrypted. So certain government, corporations and basically any criminal can gather the data and storage for the time being and be able to encrypt it somewhere in the future. And the data can still be harmful, for example, to the person that data is regarding.

Jeroen Lenaers (Chair): Thank you, Mr. Lefevre.

Eric Lefevre (Technical Advisor, Central Directorate of the Judicial Police in French Ministry of the Interior) : Thank you very much, Chair. Madam Deputy, your first question. You talk about the long list of crimes and misdemeanours, and also ways of capturing data. Now in regard to all of these different crimes. It falls under the law, voted by the French parliament. It was adopted by a broad majority in 2011 and 2018. So I don’t have anything further to say in my function of representing the Interior Ministry. I don’t have any further comments to make with regards to the law, which was voted.

Now, on the list of agencies. That is a decree, a decree from the Interior Ministry at the request of the Prime Minister based on articles under the law, and this goes in the same direction. Now. It may seem significant, but these agents, they fall under the judicial police. They’re controlled by the public prosecutor, these judges for freedom in detention as well, and magistrates. So these are not just any type of agents. These are people who are under very strict controls.

You also talked about the targets, the people targeted and whether they know if they’ve been infected by this spyware or not. Now, coming back from the judicial perspective rather than the legal perspective, someone who is. In this particular situation before. A magistrate has access to their entirety, their file together with their lawyer. So if there was a capturing of data, if there was spyware on their computer or their smartphone, then all of this will be set out in the documentation.

Now, if due to this spyware there is proof of crimes, then the person has a full opportunity to defend themselves, to say, for example, it wasn’t their phone, the phone was used by somebody else. So nothing at all is hidden here. These judicial police, their actions, all of this information, all of this will be in the file. It’s transmitted to the defendant, to the defence. So when a person is remanded, when they’re before the court. Clearly all of this evidence is presented before the tribunals and debated by the lawyers. So people’s rights, their right to defend all of this is respected.

Now, civil servants that may have had access to information that is not set out under the law. I do not have knowledge of this. If civil servants used commercial spyware and unfortunately this does exist, I’m not going to go into all of them here. I don’t certainly don’t want to give anyone any ideas. But people who want to listen to their competitors, their spouses, for example. If these police agents were to use such methods, if this were to be made known, of course they would be punished accordingly.

And then finally, your question on the spyware, the software to give information on all the data. Under the law, there is a provision to have access to data which is stored under an IT system from a computer or from a smartphone. In this case, the legislator wanted to have this option. This is an option available to our services. And if this is not to be satisfactory, then the law will have to be changed. But that does not fall under my purview. Thank you.

Jeroen Lenaers (Chair): Thank you very much, Mr. Heide

Hannes Heide (Socialists and Democrats): Thank you, Chair. My question goes to Mr. Broniarz.

At the beginning you were mentioning quite fast some names and products of surveillance, spyware. About that, you told us that there are similar to Pega. Could you repeat their names. And what’s so special about them?

And the question from our rapporteur, Sophie in ’t Veld, was about access of private for private use to all these products. And you said it’s not a question, it’s a question of money. Is it a question only of money? Or do you know any surveillance spyware that’s easy easily to get for private actors?

And we often heard about a market, the black market, via the darknet. Do you have any any knowledge about or can you tell us more or make clear how it is going and who are the sellers and who the customers are? Thank you.

Maciej Broniarz (Center for Forensic Science, University of Warsaw) : Okay, so going back, there are certain softwares that in terms of functionality are similar to Pegasus. The problem is that very often when the company creates such a product, it doesn’t advertise it very openly on the website. So it’s very often the names that we come to know are in effects of general investigation or some kind of data analysis wherein that was the case, for example, with the animal farm malware that was found in various country and it was analysed and attributed to probably different intelligence.

But the technologies that I was talking about are, for example, Candiru that is developed in Israel. There is a software called Predator, which is basically very, very similar to Pegasus, and some countries decided to open the discussion about buying it. But I’m referring to that only based on some articles in the IT security media.

And there is a software called Varizon, which is developed in Spain, and there is a software called Hermit, which is created and developed in Italy, and they offer similar functionalities to Pegasus. But very often the functionality itself isn’t the key factor, very often the usage scenario is the thing that can be troublesome in terms of the software.

And to answering the question regarding how to purchase the software. We have probably two scenarios that are most probable at the moment. There are situations where somebody can purchase the software on a black market and but those are very often custom or tailor made software to target and search. And I don’t know, business competitive, for example. And there are certain markets in the Internet that you can pay with cryptocurrencies and obtain access to certain data or certain technologies. But that’s just one scenario in the scenario has been with us for as long as spyware in black market Internet is available. And but on the other hand, we have huge corporations that can have access to DOS technologies because when we analysed the budgets of certain companies and compare it to the budgets of cyber security services, in particular European countries, then suddenly the amount of money is much more is larger on the on the side of the corporation.

So probably but that’s just my personal opinion. Probably the situation that the assertion vendor of spyware like NSO Group would not agree to sell the software to a certain corporation is a business based decision. And that’s why, for example, Israel decided to accept every deal that NSO makes before the deal is put through. But without the supervision, without that control, probably in the future we will see several events where a corporation will conduct some kind of espionage process based on the spyware software that they have purchased from a certain company.

Jeroen Lenaers (Chair): Thank you very much. Hannah Neumann.

Hannah Neumann (Greens): Thank you, Chair. And I would have a number of questions to both speakers and then a number of questions directly to Mr. Lefevre. I’m over here. If you’re trying to find me. Hi.

All the spyware that we’re talking about gains access to our mobile devices based on certain vulnerabilities that some people are aware of. And companies don’t close them because they sell these vulnerabilities rather than alerting companies, technical companies, mobile phone companies and others of the existence of these vulnerabilities. So now we have apparently state produced spyware working with these vulnerabilities. France has state produced spyware. It doesn’t have to purchase it from private actors. Others purchase spyware from NSO and others to to do this kind of surveillance. But all of these technology, to my understanding, is based on vulnerabilities that are being sought on black market or halfway black market and that are therefore not being closed because everyone wants to use it for for their security mechanism.

So for me, the first question is, I mean, how do we know that these kind of vulnerabilities only go to companies or to states that use them only as the state within the sort of law framework? And how can we be sure or can we be sure at all that they are not also being sold to companies we’re not even aware of that develop spyware for private actors? That’s the first question.

And the second question is even companies such as NSO, who promised us here that they are not selling their spyware services or make them available for private actors. How can we be so sure this is the case? I mean, they told us many things and we learned in hindsight that maybe it wasn’t true. So how can we be sure they don’t do that?

That brings me to the question to both, because also, are you aware at the moment of private actors either inside the European Union or outside the European Union that are or have in the past used spyware? So do we have knowledge of that? And if yes, could you please share that with us? Because frankly said that were the kind of information that I was actually waiting for under the title of our hearing today.

And then the third question going to both speakers is wouldn’t be an obligation to everyone who finds this vulnerability is to immediately forward them to, I mean, the technical companies in charge to close them not be the right way to make sure that we don’t have private actors to use. And these vulnerabilities, maybe even against the state, against us, against citizens, because for me, it should not be a question of money, whether one is secure or not and whether one can use this abusive spyware or not.

And then I have two questions directly to Mr. Lefevre. I’m very happy that we have you here. And you spoke a lot about how you regulate the use of spyware in France. And I think ´Sophie in ’t Veld made a number of comments that I share. For me, the question is you said you never bought or used Pegasus spyware, but we are all very aware that the French state has its own spyware.

So for me, the question is what are actually the capabilities of the spyware that France uses in terms of, for example, retrieving data that was produced before we had a certain legal court ruling that the person can be spied upon in terms of modifying data such as Candiru can do. So what are the capabilities of the state owned and produced and the French spyware? And where does the French spyware get its vulnerabilities that it’s using and exploring to get access to to and uses devices from? Is that the same kind of a black or half black market that I mentioned in my first question? Thank you very much.

Jeroen Lenaers (Chair): Thank you. We’ll start with Mr. Lefevre.

Eric Lefevre (Technical Advisor, Central Directorate of the Judicial Police in French Ministry of the Interior) : A lot of questions there. So I will try and respond as simply as possible. So how do we know that these vulnerabilities are only being exploited by states and not by private actors? From my perspective in the Interior Ministry. We have not had any such cases or inquiries along these lines. In a subdivision in tackling a cyber crime. They would be dealing with such cases if people had been infected by spyware in this way, if there were non-state actors. Now this information is in the press. So this is something we can talk about. There were tens of people who complained in France. They brought a case to the public prosecutor for having had their devices infected by spyware. So there is a judicial investigation. I can’t really provide much more information than that. This is an ongoing inquiry to determine whether or not the Pegasus spyware that infected the devices of these journalists, NGOs, ministers; what exactly was behind them. I do not have any knowledge of the use of the satisfying way by the private actors. That is not to say that that is not the case, but we haven’t had any cases brought by people saying that they were spied upon with this type of spyware. Often it is quite complicated, in fact, to prove whether or not you were infected.

A major company in France, the postal service, they are developing in India, a system that will allow you to know whether or not your phone has been infected by this commercial spyware instead of that perpetrated by state actors. So women who are being harassed, who are being spied on by their husbands, for example, or competitors in the business world who want to know if they’re being spied upon in that sense. So this is a project that the post group is testing in seven branches of the police force in Paris, and then it will be spread across to other. Police departments in Paris. So it’s a red or green telling you if it’s been infected or not. This means that the person can then make an official complaint and then the forensic analysis will be carried out of the phone by someone who is specialised from the police service to prove that this person was indeed spied upon.

Now, with regards to the people and the vulnerabilities. Now, it’s true that we’re talking about a significant market here. We’re talking about very specialised services and companies that look at the source code and look at the vulnerabilities from Android or iOS. To allow these types of infections of spyware to take place. Now, of course, Google or Apple are not informed of these vulnerabilities and these are trade secrets that are sold at a high price. The French services or those from other countries have their own people who hunt through the software codes from iOS or Android to find these vulnerabilities and to exploit them for viruses. So. It’s a little bit of a race to see who gets there first. There are a lot of different antivirus programs such as Norton and others. And every day when you turn on your computer, you have an update in terms of your anti-virus software. And if these vulnerabilities are detected by Google, Apple, they will update those and those vulnerabilities will disappear. Now the people buy this information, these vulnerabilities that can be exploited. It’ll only last a few days and it’s very, very expensive. So state actors, of course, are also looking for these vulnerabilities, as well as those selling them and the states that will buy those.

Now, with regards to France. We do not do this. As I said, it’s very expensive and we don’t know how long these vulnerabilities exist. We hunt for them instead ourselves. Now, do we have our own spyware? Yes, we are looking at that at the moment. We put in place this spyware from 2011, from the date of the law, and we put a lot of time into this spyware software. We were very much behind compared to other actors. The first infections were carried out in 2008, and it took us about seven years to get to that level. And we’re really quite a long way off from Pegasus.

The black market. You mentioned that as well. France does not buy spyware from the black market. So as simple as that, and I hope I’ve managed to answer your questions.

Jeroen Lenaers (Chair): Thank you very much. That was a very clear answer. And then we move for the first two general questions that were asked to both speakers, also to Mr. Broniarz.

Maciej Broniarz (Center for Forensic Science, University of Warsaw) : Answering the question. First of all, we need to remember that there is a process of escalation. So basically the public opinion becomes aware that there is a certain threat like Pegasus, for example, and there are certain remedies put in place to prevent that infestation from happening. And then again, the companies that make their living out of producing such software again, are looking for for certain vulnerabilities to exploit. And basically the story goes on.

There is one more problem that we probably don’t pay attention to, but there is a situation that, for example, when you are a government that decides to use certain spyware to spy on, for example, the opposition or any member of the parliament that is not aligned with the government view of politics, they don’t really need to infect the device using spyware because very various countries all around the world, there’s a situation where members of the parliament received the parliament given devices that are centrally managed and basically what software is deployed on that devices is known only to the parliament itself and the information about how the data is processed is very often not a question for discussion.

So we need to keep that in mind. But apart from that, the idea to basically obligate anyone that finds a hole in the security of such a mobile device to report it to the device vendor or to the software vendor, because that’s a very often the case is good, but it cannot be implemented properly because the majority of those holes are detected in a situation that a researcher is working outside of the EU or for example, that their vulnerability is published somewhere on the black market. So basically there is no real way to execute and and enforce that law into action.

Regarding the situation where the spyware is used by private corporation or by private actor, actually, there are not many cases documented yet, there is a quite freshly documented case from Rwanda where the software was used against the Civil Rights Society members and their families, for example, because they wanted to monitor where the citizen persons being held and how can the person be influenced, for example. But that is probably a grey area between the private actor and the government actor.

But we should also take into account that there are certain situations where a company’s just monitor the majority of their employees and their effectiveness when they are working remotely because they want to know that the person is available really like full time and the person is really in front of the computer working. And there are cases that are not so interesting to the media, for example, because they are not use what was the unfortunately. But then again, probably those cases will be documented in the near future because I understand that the very, very large amount of companies are using such technologies to overcome the difficulties that they have encountered when remote work took over.

Jeroen Lenaers (Chair): Thank you very much, Mr. Broniarz. We don’t have any other requests for the floor, so that concludes our hearing for today. Thank you very much to both our speakers for taking the time to be with us and for answering all the questions in such an elaborate manner.

Since we have a cancellation of the next point on our agenda. Due to the unavailability of Mr. Undersecretary Estévez, we can finish early today, which is also nice for a change. And I would like to ask Mr. Lefevre and indeed our rapporteur, asked already, if we could have a copy of your speaking notes, especially also for those colleagues who tried to follow online but not necessarily ended up in our digital committee room today. That will be very helpful. So thank you very much. And we see each other tomorrow morning at 9:00. Thank you.